The file contains an invalidly signed macro that holds a lot of code, probably used to deceive and have a legitimate-macro look at first glance.

Looking at the code’s entry point, we see an AutoOpen function that runs automatically when the document is being opened and the content is enabled (shown in figure 3).

Trying to avoid signatures, the authors of this infector are avoiding some of the suspiciously looking strings in their code. This is why we don’t see “Powershell” or “WebClient” here.

Figure 3

We can see “cmd.exe”, some url and strings concatenated from a form’s labels. A quick glance at the embedded objects of the document reveals what’s probably going to be the rest of our cmd line (figure 4).

Figure 4

As the code is running, a cmd process is started with the arguments shown in figure 5.

Looking at the powershell script (SHA1-d9fb7d948fb35550a6fe82c9c94fb609d9a1f682), we see a large, well documented function called “Invoke-Inj” that injects a dll into a process. Just after that, there’s a function called “Invoke-GandCrab” (visible in figure 6, without the base64 content).

Figure 6

That function has a base64 string that holds the entire malicious dll which is the ransomware itself. The dll is being decoded and transferred into the injector.

Once the PS code is loaded, “Invoke-GandCrab” is called. The dll is loaded and in that point- the bad guys has won.